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The Information Commissioner’s response to the 
preliminary report into the law and procedures in 
serious sexual offences in Northern Ireland 


Introduction 


1. The Information Commissioner (the Commissioner) is pleased to 
respond to the preliminary report into the law and procedures in 
serious sexual offences in Northern Ireland (the Gillen Report). 


2. The Commissioner has responsibility for promoting and enforcing the 
EU General Data Protection Regulation 2016 (GDPR), the UK Data 
Protection Act 2018 (DPA) and additional information rights 
legislation. 


3. The Commissioner is independent of government and upholds 
information rights in the public interest, promoting openness by 
public bodies and data privacy for individuals. The Commissioner 
does this by providing guidance to individuals and organisations, 
solving problems where she can, and taking appropriate action where 
the law is broken. 


4. The Commissioner welcomes the review into the law and procedures 
in serious sexual offences in Northern Ireland. However, it is vital 
that any changes arising out of the preliminary report and the 
recommendations contained therein comply with legislation, including 
recent changes to data protection law by way of the implementation 
of the GDPR. 


5. One of the key changes introduced in the GDPR is the new legal 
requirement for controllers, in certain circumstances, to carry out a 
Data Protection Impact Assessment (DPIA). A DPIA is a process to 
help controllers identify and minimise the data protection risks of a 
project or processing operation. Two of the said circumstances are as 
follows and feature heavily throughout this consultation response: 

a. Controllers must complete a DPIA before carrying out types of 
processing likely to result in high risk to individuals’ rights and 
freedoms. If the DPIA identifies a high risk that the controller 
cannot mitigate, they are obliged to consult the ICO in relation 
to the proposed processing. Controllers should refer to the 
|CO’s website for detailed guidance on carrying out a DPIA and 
the need to consult with the ICO. 
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b. UK government, including the devolved administrations, must 
also consult with the ICO on their DPIA when developing policy 
proposals relating to the processing of personal data. All public 
sector officials (including those in Government Departments and 
Arm’s Length Bodies) who are developing proposals for 
legislation which concern, require or provide for data processing 
are obliged to comply with this provision. The requirement to 
consult covers all relevant policy proposals for legislation 
adopted by a national parliament. This includes: 

i. primary and secondary legislation; 
ii. regulatory measures (such as regulations, directions and 
orders) made under primary or secondary legislation; 
ili. statutory codes of practice; and 
iv. statutory guidance. 


It should be noted that such consultation is directly with the 
ICO and is quite separate from any more general public 
consultation, which would not satisfy the above requirements. 
DCMS is working to issue guidance on the application of this 
requirement and Northern Ireland Departments and Arm’s 
Length Bodies should be mindful of that pending guidance for 
future reference. 


6. The Commissioner’s responses to the Gillen Report are outlined 
below and correspond to the relevant chapters contained within the 
Report. 


Chapter 2 - The voice of complainants 


7. Recommendation 20 refers to the introduction of a ‘single online case 
management system’ from pre-charge to disposal so that all parties 
can access one digital case file. As per point 5(a), this is likely to 
require a DPIA for a new technology involving the processing of 
special category data of vulnerable data subjects on a large scale. 


Chapter 3 - Restricting access of the public 


8. Reference is made under recommendation 28 to the use of ‘ciphers’ 
being applied to a complainant’s identity in all court hearings and for 
their image not to be publicly displayed during the hearing. It will be 
important to clarify as part of this processing whether the data is 
anonymised and pseudonymised as each has different implications in 
relation to the definition of personal data and, in turn, the legislative 
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obligations. Controllers should refer to the guidance available on the 
Commissioner's website in relation to this aspect. 


Chapter 4 - Pre-recorded cross-examination 


9. Chapter 4 includes a recommendation under 4.141 for legislation 
admitting pre-recorded cross-examination to Northern Ireland to be 
commenced. As per point 5(b), this is likely to require consultation 
with the ICO as it would be a legislative change concerning the 
processing of personal data. 


Chapter 5 - Separate legal representation 


10. Recommendation 45 suggests that publicly funded legal 
representation should be granted to complainants who wish to 
exercise the right to appear in court to object to the disclosure of 
their medical records to the defence team or to ensure it is restricted 
to the minimum necessary, or object to the introduction of their 
previous medical history. 


11. The data minimisation principle set out in Article 5(1)(c) of the GDPR 
sets out that personal data must be adequate, relevant and limited to 
what is necessary. This is especially crucial for cases involving 
information of such a sensitive nature which constitutes special 
category data under data protection law and warrants additional 
protection. 


12. This is an example of where controllers should be implementing data 
protection by design and by default as per Article 25 of the GDPR, 
whereby they consider the data protection implications before the 
processing begins. If there are concerns over whether the 
complainant’s entire medical records should be disclosed to the 
defence team, these should be addressed at the outset of the case. 
Data subjects should not require legal representation, publicly funded 
or otherwise, in order to exercise such a fundamental right to object 
to their sensitive personal data being disclosed if it is not necessary. 
If the information is not necessary, it should not be disclosed by 
default. 


Chapter 7 - Social media 
13. Recommendation 63 states that data controllers, including internet 


intermediaries, must erase content based on the right to be forgotten 
requests. Clarification could be added here that the right to be 


14 January 2019 V.1.0 Final 


Upholding information rights 
® 3rd Floor, 14 Cromac Place, Belfast, BT7 2JB 
Tel. 0303 123 1114 


Information Commissioner's Office www.ico.org.uk 


forgotten is a qualified right under the GDPR and will only apply in 
certain circumstances where specific criteria are met. The 
Commissioner’s guidance goes into more detail on this and all the 
other rights available under the GDPR. 


Chapter 12 - Voice of the accused 


14. 


15. 


16. 


Chapter 12.14-12.16 states that PSNI will not name those arrested 
or suspected of a crime unless in exceptional circumstances and 
there is a legitimate policing purpose for doing so and refers to this 
being “in accordance with recommendations of..the Information 
Commissioner”. They are said to, however, release some details 
about the person such as gender, age, area they live in, arrest date, 
etc. PSNI will need to consider the likelihood of this information 
being potentially attributable to an identifiable individual on a case by 
case basis and document their decision making in order to 
demonstrate compliance. 


A recommendation is raised at R149 for legislation to protect the 
identity of schoolteachers accused of sexually assaulting a child at 
their school. As per point 5(b), this is likely to require consultation 
with the ICO as it would be a legislative change concerning the 
processing of personal data. 


A recommendation is also raised at R150 for statutory regulation to 
prohibit the publication of the identity of those being investigated for 
serious sexual offences until they are charged. As per point 5(b), 
this is likely to require consultation with the ICO as it would be a 
legislative change concerning the processing of personal data. 


Chapter 14 - The voice of the child 


17. 


18. 


Recommendation 196 relates to making provision for non-court 
remote live link such as NSPCC premises or investment in mobile live 
link equipment. As per point 5(a), this is likely to require a DPIA for 
such a new piece of technology involving the processing of special 
category data of vulnerable data subjects on a large scale. 


Recommendation 202 refers to amendment to The Criminal Evidence 
(Northern Ireland) Order 1999 to extend the availability of live link 
measures to a child defendant on the basis of fear or distress. As per 
point 5(b), this is likely to require consultation with the ICO as it 
would be a legislative change concerning the processing of personal 
data. 
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19. A further recommendation 203 is raised for amendment to The 
Criminal Evidence (Northern Ireland) Order 1999 to extend the 
provision for intermediaries to a child defendant pretrial. As per point 
5(b), this is likely to require consultation with the ICO as it would be 
a legislative change concerning the processing of personal data. 


Chapter 17 - Measures complementing the criminal justice system 


20. A recommendation is raised at R221 to amend the Criminal Law Act 
(Northern Ireland) 1967 to repeal section 5 to remove the risk of 
criminalisation for those with whom a victim discusses the matter 
and they do not report the offence(s), except where the matter 
concerns a child or vulnerable adult in which case the person would 
still be obliged to report to the police, in the absence of a reasonable 
excuse. As per point 5(b), this is likely to require consultation with 
the ICO as it would be a legislative change concerning the processing 
of personal data. 


We trust this is helpful. If you wish to discuss any aspect of our response 
further, please contact us on 0303 123 1114 or ni@ico.org.uk. 


Yours sincerely 


Ken Macdonald 
Head of I CO Regions 
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